Hot Topic

WannaCry Update

INTRODUCTION

Europol confirmed Sunday that computer networks in more than 150 countries and more than 200,000 people had been affected by one of the biggest cybersecurity attacks in recent history and the single biggest ransomware event, ever. Europol further believes that the number of affected networks and individuals is likely to go up, as many workers left their computer turned on Friday [12th May, 2017] and will probably discover that they are also affected by the malware when they return to work.

It remains unclear what the motivation was for the attack. Usually, ‘ransomware’ attacks are designed to be revenue sources, but in this case the ransom was quite low, asking for an initial ransom of $300. Although the investigation is ongoing, Europol thinks the malware began to spread Friday from Europe (Spain and the UK). It then affected networks in other countries, including Germany, China, Russia, Taiwan, Ukraine, and India.

There has been a global response from cyber security technicians scrambling to not only restore Britain’s crippled hospital network Saturday, but also to secure the computers that run factories, banks, government agencies and transport systems in many other nations.

SO HOW DID IT HAPPEN?

The attack held hospitals and other entities hostage by freezing computers, encrypting data and demanding money through online bitcoin payments. Security experts rate it as a relatively “low-level” attack, given the amount of ransom demanded — $300 at first, rising to $600 before it destroys files hours later. That said, there are a couple of concerns which should be considered from this variant of the WannaCry attack:

The worm spread quickly and widely thanks to an unusual confluence of factors: a known and highly dangerous security hole in Microsoft Windows, tardy users who didn’t apply Microsoft’s March software fix, and a software design that allowed the malware to spread quickly once inside the networks of the NHS, universities, businesses and even government networks.

The originators of the attack were able to exploit a security hole (nicknamed EternalBlue) disclosed weeks ago by the Shadow Brokers, a mysterious hacking group who stole the data from the US National Security Agency (NSA). Microsoft swiftly released software “patches” to fix those holes in March, but many users still haven’t installed updates or still use older versions of Windows that are only serviced by Microsoft under extended service contracts (such as corporations who still run Windows XP).[1] Traditionally hackers have used widespread phishing attacks to get ransomware on systems – spraying infected documents or website URLs to their victims. In this case, hackers sent a zip file attachment in an email. When victims clicked on it, their computerswere infected. But the attack didn’t stop there. The ransomware spread through the hospitals’, universities and businesses’ computer networks. While security professionals typically focus on building walls to block hackers from entering, security tends to be less rigorous inside the network. The authors of the WannaCry variant knew this and exploited common techniques employees use to share files via a central server, across geographies and between organisations. The fact that victims didn’t have to open the infected files, but that it was able to transfer across open legitimate file sharing agreement and practices is what lead to the proliferation of the attack.

The attackers, who have yet to be identified, had included a “kill switch” in their attack, a way of disabling the malware in case they wanted to shut down their activities. To do so, the assailants included code in the ransomware that would stop it from spreading if the virus sent an online request to a specific website, such as one created by the attackers. A British researcher saw during the attack that the kill switch’s domain name had not been registered, he bought it himself. By making the site go live, the researcher inadvertently shut down the attack before it could fully spread to the United States, experts said.[2]

According to experts, it is believed that the activation of the kill switch before US businesses came online (due to the time difference) is why the US hasn’t been as badly affected as the rest of the world, so far. But it’s only temporary. All the attackers would need to do is create a variant of the hack with a different domain name. Security experts anticipate that other criminals may be tempted to mimic the success of Friday’s ransomware attack. In fact, a new variant of the code (with a different hardcoded domain kill switch) has been detected. However, if precautions are taken, such as patching the Window’s exploit, experts say it will be difficult for them to replicate the conditions that allowed the WannaCry ransomware to proliferate across the globe.

WHO WAS AFFECTED?

As a self-perpetuating attack which exploited a hole in older versions of Microsoft Windows, there was no clear target. The worm moved without prejudice across the globe and through the industry. Portugal to Turkey, Indonesia, Vietnam, Japan, Germany and Russia, the affected spread well beyond the NHS across the UK.

Kaspersky Lab, a Moscow-based Internet security firm said that the attacks were mostly in Russia. One reason Russia may have been hit so hard is the use of outdated software by industry and government agencies. Not only is Russia’s software out of date, but pirated as well. According to one Interior Ministry official, in 2013 they estimated that 40 percent of the ministry’s computers could have been using pirated Windows software, which is widely available in Russia for download or at local computer markets.

With this in mind, we should not be shocked by the list of the top 20 most affected countries (the above chart was issued relatively early after the event was introduced and may change in the coming days). As such I don’t think we should be surprised by the affected industries, either. For example, while hospitals spend billions on technology a year, hospitals lag far behind many industries in upgrading their security and doing basic software updates. According to the CIO of the Beth Israel Deaconess Medical Center and Harvard Medical School, John D. Halamka, health-care organizations in general spend 2 to 4 percent of their operating budgets on information technology, compared with 25 to 35 percent for financial services.

Given this, it is unsurprising that 48 out of 248 NHS organizations across the UK were affected by the largest-ever cyber-extortion attack, with some forced to cancel or delay treatment for patients, even those with serious aliments like cancer.

Spain’s National Cryptologic Center, part of that country’s intelligence agency, reported a “massive ransomware attack” against Spanish organizations. At Telefonica, in Madrid, security department officials ordered employees to switch off their computers and disconnect from WiFi. Gas Natural was also one of the named organisations affected by the WannaCry worm.

Brazil’s state-owned oil company Petrobras and Brazil’s Foreign Ministry also were affected, and both have disconnected computers as precautionary measure.[3]

FedEx Corp. reported that its Windows computers were “experiencing interference” from malware — it wouldn’t say if it had been hit by the ransomware — other impacts in the U.S. were not readily apparent on Saturday.

French carmaker Renault’s assembly plant in Slovenia was halted after it was affected by the global cyberattack. The Revoz factory in the south-eastern town of Novo Mesto stopped working on Friday evening to stop the malware from spreading. Renault representative Nevenka Basek Zildzovic confirmed that “some troubles occurred with some parts of IT system at Revoz.” She said production was suspended during the night, and added that “production remains halted [Saturday] too.” Union members confirmed that Renault were further forced to halt production at sites in France in an effort to stop the malware from spreading. The consequences for the company remain unclear.

Germany’s national railway says that it was among the organizations affected by the global cyberattack but there was no impact on train services. Deutsche Bahn says that departure and arrival display screens at its stations were hit Friday night by the attack. The company said it deployed extra staff to busy stations to provide customer information, and recommended that passengers check its website or app for information on their connections.

While we have not seen it yet, we do believe that certain industries are more susceptible than others. Consider for example in 2014 when Microsoft stopped servicing XP, 75% of the globes ATMs where using the operating system. While many banks will have worked to address this, we still expect that the banking industry is susceptible to WannaCry, especially based on their geographic location and propensity for maintaining security standards.

HOW SNOWDEN AND GDPR TOLD US THIS WOULD HAPPEN

Despite warnings, (NSA) built dangerous attack tools that could target Western software, Mr Snowden said “Today we see the cost.” He also said “Congress should be asking the NSA if it is aware of any other software vulnerabilities that could be exploited in such a way.”

We have been aware that the NSA has been using backdoors to execute espionage as well as developing weaponised programs to be able to take down its targets as needed. When we discovered that weaponised codes had been released earlier this year, we should have expected for this day to come.

In light of today’s attack, Congress needs to be asking @NSAgov if it knows of any other vulnerabilities in software used in our hospitals.

Some security experts believe that that the biggest cyber extortion attack in history is going to be dwarfed by the next big ransomware attack, as we are lucky that this attack was not targeted, especially against critical infrastructure like nuclear power plants, dams or railway systems.

Running Windows XP in a cardholder data environment has made companies non-compliant with PCI standards since 2014 when Microsoft announced that they would no longer be servicing the operating system except under contract with large commercial clients. As of 2015, Cyber Essentials, the UK’s government program for vetting public sector IT supplier’s cyber hygiene, will fail an organization if they are still using Windows XP. Yet, the UK government did not take up the contract with Microsoft to service their Windows XP, and as a result, these systems have not been patched since 2015.

Given this, it comes as no surprise that GDPR has been introduced!

This widespread event has raised some glaring exposures for organisations who will be looking to become compliant with GDPR in the next year. For data controllers such as the NHS and Telefonica, to fall victim to a cyber event launched against vulnerabilities to obsolete Microsoft operating systems will cause these organisations serious concern once the GDPR is enacted in May of 2018. Of course there are a number of articles within the GDPR which could cause concerns to the client, but for the purpose of simplicity, I would point to the principles proposed in Article 32 Security of Processing in which data controllers must use appropriate security measures to protect the data stored.

Not only does this section address issues around pseudonymisation and encryption, but also the ability to ensure availability and resilience of processing systems and services as well as the ability to restore the availability and access of personal data in a timely manner in the event of a physical or technical incident. While reports are still coming forward with regard to lost data due to these global attacks, the argument that the ICO or the local Data Protection Authority in Spain would make with regard to the NHS and Telefonica, respectively, is whether or not these entities were negligent for using obsolete systems to drive critical elements of their respective infrastructure.

It is hard to be definitive on the matter, but it would be challenging for these entities to prove that they weren’t negligent as the security architecture was critically compromised through the use of the unpatched operating systems.

HAS THE INSURANCE INDUSTRY SEEN THIS BEFORE?

Heartbleed, Shellshock, the ILOVEYOU virus, even CryptoLocker are a microcosm of the threats which expose the challenges of working in today’s interconnected world. These are all exploits which pose a potential systemic exposure to multiple clients as they target operating systems, software, and security vulnerabilities. Further, we had been asking questions with regard to using obsolete operating systems through 2015 and 2016 with a particular focus on Windows XP, given its broad commercial use. As such we cannot be surprised by these events, especially given the proliferation of ransomware that we have seen over the past two years.

The challenge for the industry, however, is understanding the probable maximum loss (PML) in the event of an internet wide attack. That is, insurers must not assume that an exploit will trigger a full limit loss on all policies. CryptoLocker for example, is a ransomware that can be effectively ring-fenced and removed for a cost within the retention, if clients take advantage of vendor partnerships the industry provides as part of today’s solutions. Of course when it comes to ransomware attacks, we need to consider not only the extortion event itself, but any business interruption loss which might occur, as well as any potential theft of the insured’s data. We mention CryptoLocker as we have experience of dealing with this type of ransomware, but the principles applied will be the same for the WannaCry worm.

When encryption occurs, it tends to either encrypt or convert files into a different language for which only the hacker has the cipher. Often, you won’t even know you’ve been targeted until you try to open a file. Another, more damaging version is what happened Friday: The ransomware locks you out of your entire system.

Either method provides concern for our clients, with different responses being needed depending on the event at hand. In this instance the WannaCry worm encrypts to a 256 bit encryption standard, and threatens to delete the affected files if the ransom isn’t paid. Now, add the panic of a global event and while security exports are urging organisations not to pay so as to limit the success of this global operation, people and organisations are panicking. Original values of the bitcoin wallets holding the ransoms were expected to exceed the $1 billion mark. However, this has been revised down significantly as of now with current estimates of the value of these bit-wallets to be in the tens of thousands (as of Sunday, May 14th, 2017).

Why? Organisations are getting better at preparing for these events and have used their backup procedures and access to security professionals to support remediation after the event. Our vendors, Symantec, Crypsis, and Cyber Scout have all posted blogs about best practices for what organisations should be doing to prevent this attack and also for remediation – Call the experts.

FALLOUT TO THE INDUSTRY

It will be interesting to see how things play out for the cyber insurance industry as a whole. The demographic of organisations most hit by this attack is likely to limit the exposure to insurers in this instance, given that a large percentage of cyber coverage is currently purchased by US organisations, and the worm was killed before it was really able to attack the US.

Furthermore, one might assume that the SME portfolio might be hardest hit. However, the SME portfolios within the cyber insurance industry is also heavily skewed towards the US. In addition, many SMEs will have been formed post Windows XP and as their systems tend to be a bit more nimble and interact heavily with 3rd party IT vendors, it is less likely that they would still be operating out of service operating systems.

In contrast larger organisations with heavy reliance on SCADA, industrial control systems, legacy systems, and sprawling networks (like ATM networks) are much more likely to be affected as they are more likely to be operating older operating systems. Whilst the actual ransom amount itself is very low, the potential downtime for say a large manufacturer, could result in extensive business interruption losses which may or may not fall within the self-insured retention.

Insurers already underwrite to the issues highlighted by this large scale attack. However, it is even more important for Insurers to have answers to the following key considerations when assessing a company for cyber insurance;

Whether the company ran on out of service operating systems, such as windows XP? If so, do they have an extended contract to provide support and/or are these systems completely offline and segregated from the network?

An understanding of the companies patching procedures to include confirmation that all critical patches are deployed as a priority and an understanding of timeframes around patching generally.

Confirmation that the company have a Disaster Recovery/Business Continuity plan to include an understanding of any redundancies in place, to ensure the company are able and ready to deal with an attack of this nature.

We have long been aware that cyber extortion has been on the rise, with reports that attacks quadrupled in 2016 and that extortion attacks are becoming increasingly more sophisticated. Whilst we wait to see the true impact of this incident on the cyber market, this cyber-attack serves to highlight some of the issues facing the insurance industry.

About EmergIn Risk

WHO WE ARE

EmergIn Risk (EmergIn) is a London-based Managing General Agency that specialises in developing innovative, enterprise-wide cyber solutions for global companies. We engage with our clients to identify how a potential cyber event could affect their operations and work to understand the financial implications of such an event… click here for more information

ABOUT JAMIE BOULOUX, Chief Executive Officer

Jamie Bouloux is an acknowledged and well known cyber expert. Prior to starting EmergIn Risk, Jamie was responsible for the cyber insurance proposition in over 50 jurisdictions worldwide as part of previous roles as the Head of Cyber, Technology and Media for AIG EMEA, and as lead underwriter for CFC Underwriting’s large corporate cyber facility. In these roles, Jamie has worked alongside brokers and clients across the globe to develop unique… click here for more information